APSM BIG DATA E-MAG by MySecurity Marketplace

Print Post Approved PP255003/10110

THE REGION'S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Sep 2013

PERTH Annual Conference 18th October, 2013 Perth Convention & Exhibition Centre Registration Now Open

www.aisa.org.au

National Conference 10th October, 2013 Sydney Convention & Exhibition Centre Registration Now Open

www.aisa.org.au

at ag er E D m st E SG PS gi r FR 00 /A Re ou $20 .com ia ry h fo rt oas wo exp ts ke ud tic .clo

Introducing

Cloud Expo Asia

The largest dedicated cloud event in Asia World-class Conference Programme | 9 Dedicated Theatres | Over 120 Speakers 100 Leading International Suppliers | 40 Case Studies | Free to attend

The event takes place in Singapore on the 13th and 14th November at the Suntec Exhibition Centre For your FREE tickets, please register here: www.cloudexpoasia.com/APSmag

Platinum Sponsor:

Theatre Sponsors:

Research Partner:

Education Partner:

Gold Sponsor:

VIP Catering Sponsor:

Headline Media Partner:

Site Sponsor

Platinum Media Partner:

Silver Sponsor:

Bronze Sponsor:

Participants:

Supported by:

Co-located with

Event Partner:

www.cloudexpoasia.com

24-27 September 2013 - Aloft Hotel, Kuala Lumpur, Malaysia IB Consultancy is proud to announce Asia’s premier CBRNe event, The NonConventional Threat CBRNe Asia 2013, which will take place on 24 -27 September 2013, in Kuala Lumpur, Malaysia. Building on the highly successful 2012 conference, exhibition and CBRN demonstration, NCT CBRNe Asia 2013, will expand its scope by including focused interactive training-workshops, live product demonstrations and the NCT CBRNe Awards. Event partners are the Malaysian Ministry of Defenceand the Science and Technology Research Institute for Defence (STRIDE).

NCT CBRNe Asia 2013 Highlights n The first international CBRNe conference and exhibition to take place in Malaysia n 2 days of conference with stream sessions and interactive workshops n Full day of specialised CBRNe training n The NCT CBRNe Awards Gala Dinner n Live demonstration of Malaysian Army capabilities n Large exhibition of 30 booths and 400 attendees n Network with attendees from regional Government, Military, Law Enforcement and the Commercial Sector from Malaysia and across Asia n Pre-conference Icebreaker Reception

Our programme includes presentations from: Lt. Gen. (Ret’d), Chalermsuk Yugala, Royal Thai Army/ Chemical Department, Thailand

Dr. Socorro P. Lupisan, Head of Biosafety and Biosecurity Committee, Department of Health, Philippines

Lt. Gen. Ke Da, Deputy Secretary General, National Defence Authority of Chemical Weapons, Cambodia

Eric Stevenson, CBRN Capability Adviser, Australian Army, Australia

Brig. Gen. Chan-Sup Kim, ROK CBRN School Command, Republic of Korea Dr. Devan Kurup, Disease Control Division MoH Malaysia/CPRC, Malaysia

Gold Sponsor:

Tan Sri Dato’ Sri Khalid bin Abu Bakar, Inspector General, Royal Malaysian Police, Malaysia Dr. Frank G. Walter, Prof of Emergency Medicine, University of Arizona College of Medicine, USA

Maj. Gen. (Ret’d) Dr. J K Bansal, National Disaster Management Authority, India

Dr. Heinz-Ulrich Gläser, Federal Office of Bundeswehr Equipment, Information Technology and In- Service Support, Germany

Mr. Hekmat Khalil Karzai, Director, Centre for Conflict and Peace Studies, Afghanistan

Brig. (R) Syed Tahir Raza Naqvi, Pakistan National Command Authority - Strategic Plans Division, Pakistan Demonstration Sponsor:

Premium Sponsors:

Event Partners: Exhibitors:

Supported by:

Cyber Security and Digital Forensics 2013 3-5 December 2013, Kuala Lumpur, Malaysia

Event Highlights

> 2 days of conference with high-level speakers from Malaysia, Asia-Pacific, Middle East, Europe > See the latest technologies and solutions for the Cyber Security and Digital Forensic community > Exclusive site-visit to the lab of CyberSecurity Malaysia > Focus on the Asian approach to Cyber Security and Digital Forensics > Great networking

Supported by

Hosted in

Sponsored by

Prices Delegate Fee Delegate Fee

(Emerging Economies)

SGD 1499,SGD 599,-

10% Early bird discount till September 30th.

www.ib-consultancy.com

Contents

Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Senior Editor Loreta Cilfone Business Development Manager Louise Street Art Director Stefan Babij Correspondents Sarosh Bana Sergei DeSilva-Ranasinghe Jaya Prakash Kema Rajandran Adeline Teoh Contributors Lindsay Hughes Roger Johnston Shannon Sedgwick Navid Sobbi Jon Warner

Editor's Desk 5 5 minute TechTime Snapshot 7 Quick Q & A 8 Movers & Shakers 10 Upcoming Events 12 Special Interviews Matthew Curtis – Chair of the Australasian Council of Security Professionals Geoff Craighead – President of ASIS International

Cover Story

Page 24

Cornerstone alliance in the Asia Pacific Exclusive Interview with John Howard, Australia’s 25th Prime Minister

International Fighting for the future of Brazil 24

n, o i s r e ve n National n i z Thank you.... Speech by Paul McClintock 30 aga versio m t Women in Security rin l print p r u o A rose without a thorn – Christina Rose 32 ful o t e h e t Cyber Resilience elat ess to r Page 34 s t Big data transforms security 34 c n c e t a r Government data surveillance con –rIndia’s foway 38 e e s e e Frontline h Th lassessors What vulnerability 40 c ick know that you should, too. Regional

Myanmar ethnic violence comes to India 28

Are you being spied on? 42 Combating the security industry – A perspective from a veteran 44

Special Feature - Access Control In the protection zone

14 16

TechTime - The latest news and products Bookshelf

46 50 56 Page 38

T: +61 8 6465 4732 | E: info@mysecurity.com.au E: editor@asiapacificsecuritymagazine.com

APSM Correspondents All Material appearing in Asia Pacific Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the

Sarosh Bana

Serge DeSilvaRanasinghe

Jaya Prakash

Kema Rajandran

Navid Sobbi

Jon Warner

Contributors

information to particular circumstances.

Roger Johnston

4 | APSM Asia Pacific Security Magazine | Issue #50

Shannon Sedgwick

Adeline Teoh

Issue #50 | Asia Pacific Security Magazine APSM | 5

Editors Desk

Editor's Desk

“I can accept anything, except what seems to be the easiest for most people: the half-way, the almost, the just-about, the in-between”- Ayn Rand

elcome to a milestone 50th issue of the Asia Pacific Security Magazine. As a special issue we fittingly feature an interview with Australia’s 25th Prime Minister, John Howard. Atop our Ambassador series, John Howard’s interview coincides with his keynote speech at the ASIS International Annual Seminar, Chicago, and Australia’s Security in Government Conference – SIG 2013. As proud media partners to these events we continue to welcome a host of new readers and a growing audience. After 50 issues, a publication and its publishers have many thanks to give – to our readers, contributors, correspondents, advertisers and staff – on behalf of all, a big thankyou and congratulations. Let the work continue and enjoy the ride! As professionals in a global world, we need to constantly look up and to the horizon – with a strategic mindset, as well as tactically and commercially. We are approaching a time when China is anticipated to exceed the USA as the world’s largest economy. There is naturally, the need to balance military and defence relationships. However, the region is unfortunately, renowned for significant and wide ranging conflict. Add catastrophic natural disasters, climate change and resource security (food/water/energy), and these regional issues create national and local commercial risk for all economies. Along with the commercial opportunities, the security of the region requires ongoing monitoring by security advisors, risk managers, operational managers, procurement advisors, supply chain managers and you – our readers. Whilst evolution to a regional magazine was designed to recognise and accommodate the Asia Pacific as the most exciting and significant region on the planet, we have remained cognisant of broader security and media industry developments, and in my view, the exciting moments of the emergence of the security profession, globally. This accompanies growth in the fields of Risk Management, Corporate Governance, Business Continuity Management, Corporate Social

6 | APSM Asia Pacific Security Magazine | Issue #50

Responsibility and a host of other specialist fields – intelligence, investigations, insurance, facility management and so on. We acknowledge also the austere commercial professionalisation of military, law enforcement and regulatory sectors. With all this in mind, we present the John Howard interview for insight into how a national leader considers broad and critical issues amongst unique diplomatic situations. John Howard recounts the key regional dilemmas during his term in office with East Timor and Indonesia, and expresses his views on the future of Australia’s ties with both countries. He also gives frank thought to the consequences for Australia-China relations, the US rebalance to Asia and the future challenges to Australian foreign policy, and finally, the legacy of his decisions in Australian strategic policy. This is a timely and important interview given Australian foreign policy debate and the 2013 Australian Federal Election. We also await the outcomes of the reforms by the Rudd Government to the introduction of the Papua New Guinea solution for asylum seekers. As a highlight, for our Women in Security feature we interview Christina Rose, Assistant Director, Department of Infrastructure and Transport – Office of Transport and Security. We examine Indian cyber security and the Indian Government’s Central Monitoring System (CMS), set up at a cost of Rs4 billion ($73 million), by the Centre for Development of Telematics (C-DOT). Like Australia’s reforms, the CMS will monitor all online activities such as electronic mails and social media communications, telephone calls and text messages. And look out for ‘Big Data Transforms Security’ featuring Arthur (Art) Coviello, Jr, discussing the ways Big Data is transforming the security industry, information technology, business and society. Finally, for the lead up to the FIFA 2014 World Cup and the 2016 Olympic Games we have a special report on Brazil’s preparations and some real challenges for major event and VIP security. As a special issue I’d like to thank Jason

Brown, current Chair of the Australian Security Medals Foundation for his support to this publication, and most recently the support provided by Matthew Curtis, Chair of the Australasian Council of Security Professionals and Geoff Craighead CPP, President of ASIS International. We also have leading SCEC Endorsed consultants Dr Kevin Foster, Mark Jarratt CPP and Tony Haddad JP, providing their views on Access Control within the Protective Security Policy Framework, being introduced across the Australian Federal Government. There remains much more to comment on and I will leave it to you to delve further and enjoy. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage. I look forward to hearing from you and encourage you to connect with us and retain My Security Media as your personal professional library, willing to listen and accessible anytime, anywhere. Yours sincerely,

Chris Cubbage

CPP, RSecP, GAICD

Executive Editor

NEXT ISSUE HIGHLIGHT Feature interview with USA Ambassador to Australia, Jeffrey Bleich

OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

2013 SRI SecuRIty congReSS

2-4 December 2013

Over three days ECU’s SRI Security Congress will bring together all areas of security professions and disciplines as part of a holistic engagement for the wider security community. This congress will explore how to reduce the efficacy, persistence and abilities of advanced threats that jeopardise our critical systems stability. It will also examine methods, tools, techniques and frameworks in dealing with some of the serious problems that our increasingly interconnected, digitised systems are producing that threaten our economic and social well being. All submitted papers will undergo a double blind peer review process. The 2013 SRI Security Congress will host 6 security based conferences over 3 days 14th Australian Information Warfare 11th Australian Information Security Management 11th Australian Digital Forensics

6th Australian Security and Intelligence 4th Australian Counter Terrorism 2nd Australian eHealth Informatics and Security

Venue

Contact details

Key dates

Edith Cowan University 270 Joondalup Drive, Joondalup WA 6000 Tel: +61 8 6304 5176

Congress Coordinator - Emma Burke Tel: +61 8 6304 5176 E: sri@ecu.edu.au W: http://conferences.secau.org/venue.php

Paper Submission Deadline - 30 September 2013 Acceptance Notification - 28 October 2013 Camera Ready Papers - 11 November 2013 Early Bird registration - 11 November 2013

reachyourpotential.com.au

Tel: 134 ECU (134 328) E: futurestudy@ecu.edu.au

★★★★★ TEACHING QUALITY ★★★★★ GRADUATE SATISFACTION the good universities guide 2013

ECUSRI Edith Cowan University Security Research Institute

303LOWE ECU10434 CRICOS IPC 00279B

Issue #50 | Asia Pacific Security Magazine APSM | 7

....with

Steve Simpson

Manager, Security Consulting , Amcom

Steve Simpson has been working in security environments since joining the army at 18 years of age. He has been working solely in IT and Information Security for 16 years, and today he heads up Amcomâ&#x20AC;&#x2122;s security consulting division which allows him to advise Perth companies and Government departments on security governance, risk and compliance. He is also a business advisor for Amcom, advising the organisation on the strategic direction for security. Since 2010, he has been executive member of the Perth AISA branch. How did you get into the security industry? I am not entirely sure how I came to be in security, it just sort of happened. Security was such a big part of my everyday work in military communications that I did not even realise how much experience and knowledge I was amassing. However, once I became an IT consultant it soon became very clear just how much security advice I was able to impart to my clients and it was not long before this became my primary role. Security is a topic that I am quite passionate about so am very glad that fate led me down this path. This is why I am happy to dedicate some of my spare time to the Australian Information Security Association. How did your current position come about? L7 Solutions advertised for a business advisory consultant just as a contract job was finishing and I jumped at the opportunity. I have always enjoyed working in a consulting role and this was the chance to establish a security consulting practice within an established IT organisation which I was very keen to take on. Two years down the road L7 was acquired by Amcom and here I am. What are some of the challenges you think the industry is faced with? The security industry as a whole will always have challenges to face, that is our job after all. However, things have changed considerably in the last few years. Cyber attackers are far more criminally motivated and appear to be more organised than some corporate and Government organisations are. We have also seen more recently, a lot of public finger pointing at International Governments as being the source of some cyber incursions and attacks which generates further challenges. With all these changes in the profile and motivation of attackers we certainly need to be cautious and

8 | APSM Asia Pacific Security Magazine | Issue #50

ensure that we have a security strategy in place that is up to this challenge. My personal belief is that security activity monitoring is becoming more essential for any business to help them have a greater understanding of the activity that is happening within their IT environment. The one challenge that is going to remain though, is that it is becoming increasingly difficult to convince a business of their need for security, if their security works well, no one will see the threats, and if the security does not work well, the threats are so stealthy that the business will still not see the need. Other challenges right now from a security perspective are the increased take up of cloud computing operations and that of BYOD. With the changes in attack profile already mentioned businesses looking for cloud computing solutions need to be very careful to ensure that the solution they go with has the security that they need to protect the information assets that will be entrusted to the cloud. Transborder issues and cloud supply chain are also concerns in cloud computing that need to be understood before an organisation hands over their valuable data. There are plenty of safe options available but it will take some research and forethought to find them sometimes. BYOD is here to stay whether we like it or not, many organisations have seen it arrive

by stealth rather than strategy which increases the complexity of the challenge. The best way forward is going to be to embrace the technology and govern its use to ensure that you maintain the right level of control. Where do you see the industry heading? Through my role with AISA, I have seen a large increase in the number of information security professionals in Perth. Branch membership has doubled in the last three years which is great to see. I definitely see an increase both across the technical security roles and the strategic side of Governance, Risk and Compliance. Whilst global authorities have had some great wins against threat groups, the complexity and stealth of threats is only going to increase. Protective monitoring is going to become far more important in BAU situations to ensure that we have the best view of the activity within our enterprise environments.. What do you do when youâ&#x20AC;&#x2122;re not working? When I am not working or heading up the Perth AISA committee, I am a volunteer training manager with the State Emergency Services or am working with my wife building a holiday home. And when I have any time off from that lot I try to get a bit of quiet time fishing.

ChinaSourcingFair.com/hk/dea.

ChinaSourcingFair.com/hk/dfa

www.chinasourcingfair.com www.chinasourcingfair.com

Giri Ramamoorthy

Grant Whitehorn Grant Whitehorn, previously a Director of RIMA, has been appointed new Chief Executive Officer of RIMA along with a new board structure and board committee governance arrangements. RMIA’s board meeting which was held late June 2013, determined that a strategically focused structure was necessary to drive the growth of the organisation into the future. This means that apart from the executive positions on the board, directors would no longer be allocated specific portfolios but would work more closely with each of the Board Committees. Along with Whitehorn, the new board structure includes; Bryan Whitefield, President and Chairman of the Board; Scott Minchin, Vice President (Strategy); Rod Farra, Vice President (Operations); Sally Bennett, Finance Director; Tarique MacDonald-Razvi, Director and Anthony Ventura, Director. New President and Chairman of the Board, Bryan Whitefield, commented, “Firstly, let me congratulate Grant on his appointment to Chief Executive Officer, which commences from today. The board’s decision to appoint Grant Whitehorn as CEO is due, in part, to his intricate knowledge of RMIA and his extensive industry experience. We also needed to ensure we achieved a seamless transition for our members and Grant’s clarity of the purpose of RMIA and his ability to drive its strategic direction based on his many years experience on the Board, including his two terms as President, made him the obvious choice. Also, Grant’s previous experience as the CEO and Company Secretary of a small business, along with his excellent relationships with RMIA’s key partners and stakeholders, will allow him to continue to grow the business and deliver on our value proposition for members. Grant will now lead the transition of administrative functions from the ACI back to RMIA. He will also manage our corporate strategy and operational business plans moving forward.”

10 | APSM Asia Pacific Security Magazine | Issue #50

Global company specialising in remotely managed security systems, Pacom Systems, has announced the appointment of Giri Ramamoorthy as Director for Sales and Business Development for the Asia region. Ramamoorthy has more than 17 years of security industry experience. Based in Singapore, Ramamoorthy will be responsible for accelerating the expansion of the Pacom business in the Asia region. Prior, he was at Cisco Systems where he was instrumental in leading and architecting a new corporate initiative that generated new business for Cisco and its partners. Other previous appointments included Honeywell and Diebold. General Manager of Pacom, Andrew Minnikin, says, “Giri is a talented professional and we are looking forward to him joining our team.” He added, “We remain committed to the Asian market and I am confident Giri’s experience and local market knowledge will help us strengthen our presence, create value for our customers and drive continued growth for Pacom in the region.” Ramamoorthy commented, “I am delighted to be joining such an innovative company. It is a great time to build on Pacom’s 30-year history and I look forward to being part of its future success in the Asia region.”

Scott Bernat Scott Bernat joins American firm, G2 Ops, as Director of Maritime Solutions. Bernat’s previous position was with the US Naval Criminal Investigative Service (NCIS) where he spent 26 years. G2 Ops has joined forces with Consolidated Services International (CSI) and its local affiliate PT Interteknis Suryaterang, based in Jakarta, to offer physical and technical port, maritime and oil and gas industry-specific safety and security solutions for Indonesia. As well as security offerings for the Asian region, Bernat’s team will also provide fraud and loss prevention services. In the next decade Indonesia is set to become one of the top ten economies in the world. Its fast growing economy is reliant on its port and maritime industry to facilitate economic interests. Although there are many security consultancies operating within Indonesia, many of these are not port and maritime specific. Bernat comments, “There is often a lack of global subject matter expertise and international commercial contacts necessary to fully realise success in this arena. Destination countries require assurance that personnel, maritime assets and associated cargo have been covered by and subjected to the highest

safety, security and loss prevention standards. If these issues are not properly addressed, affected industries could suffer loss of life, irreparable damage to their public image, and ultimately loss of investor confidence and revenue.”

Dave Cote Dave Cote, Chief Executive Officer of Honeywell has been selected by Chief Executive magazine as ‘CEO of the Year’. The award is an honour that recognises an outstanding corporate leader nominated and selected by peers. “It’s a great honour to be recognised as Chief Executive’s CEO of the Year,” says Cote. “I’m proud of Honeywell’s performance and the terrific returns we’ve provided our shareowners. The award recognises the transformation of Honeywell under Cote’s leadership during the last 10 years – Honeywell’s sales have increased by 71 percent. Nominations for CEO of the Year were collected from the magazine’s readers. The ten most frequently cited nominations were evaluated and a winner was voted upon by a peer Selection Committee consisting of CEOs from leading global corporations. Cote added, “Receiving the honour of CEO of the Year is very rewarding.”

If you have an entry for Movers & Shakers please email details and photo to editor@asiapacificsecuritymagazine.com

For a full list of upcoming security events visit: www.asiapacificsecuritymagazine. com/security-events/

12 – 14 August 2013

August 2013

25th Security in Government Conference - SIG 2013 Venue: National Convention Centre, Canberra, Australia Event Topic: The SIG Conference began in 1987 as a meeting of agency security advisers focusing on protective security issues. Since its inception, attendance at the conference has enabled delegates to engage with public and private sector security experts from a diverse range of fields. The extensive trade exhibition attached to the conference features more than 100 security-related service providers who work closely with both the government and private sector to provide cutting-edge solutions to protective security issues.

19 – 20 August 2013

Security & Risk Management Summit Venue: Sydney, Australia Event Topic: The Gartner Security & Risk Management Summit is the premier conference and meeting place for IT and business executives responsible for creating, implementing and managing a proactive and comprehensive strategy for information security, risk management, governance, business continuity management and business resiliency. This event has been crafted specifically to meet the needs of security professionals, reflecting the topics and issues that are challenging today’s leading world-class enterprises. 22 – 24 August 2013

2nd Annual Cloud Computing Summit Venue: New Delhi, India Event Topic: The second annual cloud computing summit is bringing back key CIO‘s at a single platform towards overcoming the general inertia plaguing the sector. Cloud is slowly gaining acceptance amidst the global meltdown. This brings forth two strands of thought; accepting the cloud and rising pressure on the ROI from cloud. Security and legal issues remain the constant issues adding to the ‘jump or not’ question. These troubling times raise difficult questions and even complex answers.

10 – 12 September 2013

Big Data World Asia

September

2013

Venue: Suntec Tower 4, Singapore Event Topic: Big Data World Asia 2013 is Asia’s leading strategic analytics and data conference where business leaders, data scientists, heads of analytics and senior marketers from the region learn the strategies, intelligence and technology that they need to leverage Big Data effectively. 12 September 2013

The Global Security Challenge Venue: Royal Holloway, University of London, Egham, UK Event Topic: The Global Security Challenge (GSC) is an annual global competition seeking to identify most promising security technology start-ups and SMEs from around the world. InnoCentive EMEA is running the Global Security Challenge for the 7th consecutive year and this year competition focuses on Cyber Security.

24-27 September 2013

The ASIS International 59th Annual Seminar and Exhibits (ASIS 2013) Venue: McCormick Place in Chicago, Ill., USA Event Topic: Recognised as the security industry’s most comprehensive education and networking event, ASIS 2013 is anticipated to draw more than 20,000 security professionals from around the world for education, networking, and an expansive exhibit floor of security products and services. (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, will collocate its third annual Security Congress with ASIS 2013. Registration and housing for ASIS 2013 is now open. Visit www.asis2013.org for complete event details, including registration, housing, and sponsorships. 24-27 September 2013

Non-Conventional Threat:CBRNEe Asia 2013 Venue: Aloft Hotel Kuala Lumpur, Malaysia Event Topic: IB Consultancy is proud to announce Asia’s premier and largest CBRNe event. Building on the highly successful 2012 conference, exhibition and demonstration, NCT CBRNe Asia 2013 will expand its scope by including focused interactive training-workshops and the NCT CBRNe Awards. The conference will include high-level speakers from all over the APAC region, Europe, the Middle East and the USA. This includes a large contingent from the Royal Malaysian Government and Government agencies from across Southeast Asia and the rest of the world. NCT CBRNe Asia is organised in full partnership with the Malaysia Ministry of Defence and the Science and Technology Research Institute for Defence (STRIDE).

12 | APSM Asia Pacific Security Magazine | Issue #50

21 – 24 October Goa, India gartner.com/in/symposium

The World’s Most Important Gathering of CIOs and Senior IT Executives Leading in a Digital World Accelerating growth. Creating new connections. Driving greater agility. A powerful convergence of forces — mobile, social, cloud and information — is rapidly reshaping how business gets done now and in the future. Gartner believes CIOs and senior IT executives are at the center of this transformation, leading the creation of the digital enterprise. At Gartner Symposium/ITxpo 2013, attendees will discover how to seize new opportunities, forge strategic partnerships to drive change, and evolve to become indispensable leaders in the digital world.

Five role-based tracks:

Just announced! Luminary Guest Keynote: Jamie Anderson ‘Management Guru’, Professor of Strategic Management at Antwerp Management School and the Lorange Institute of Business Zurich, and Visiting Professor at London Business School

• Applications • Business Intelligence & Information Management • CIO • Infrastructure & Operations • Strategic Initiatives

Two Industry tracks: • Banking • Insurance

gartner.com/in/symposium

40+ solution providers

200+ CIOs

Four days

800+ 130+ analyst-led sessions total attendees

Exclusive CIO Program

30+ Gartner analysts

Big Data

An Overview of Homomorphic Encryption By Praveen Gauravaram

n the modern computing era it is becoming important to provide privacy and security for customers’ data on which computations are made. In particular, enterprises consider surrendering the privacy of their data to a third-party cloud service provider as one of the main hindrances for moving their data to a cloud environment and delegate processing of data to the provider. One interesting question in this context is ‘whether it is possible to delegate data processing ability to the cloud server without giving away access to data’. A naive solution to this problem is to first encrypt the data at the user’s end, store meaningless data in the cloud, download it when needed, decrypt it and perform operations on the clear data and then encrypt updated data and transfer the meaningless data to the cloud. Obviously, this approach deserts the advantages of cloud computing. An alternative approach is to outsource operations on the encrypted data to the cloud and retrieve results in encrypted format from the cloud. When a client decrypts the encrypted computed data, the result would correspond to the result of some operations on the plain data. This property is called homomorphism and the encryption algorithms that have this property are called homomorphic encryption schemes. This paper provides an overview of homomorphic encryption.

Some use cases for computations on encrypted data are outlined below: •

•

Need for Storage and Computations on the Encrypted Data With the advent of cloud computing and other related technologies to enable efficient data storage and processing capabilities for individuals as well as for enterprises, privacy for the data stored online has been a major concern. While security measures provide protection against malicious attackers, privacy is about users having control over their personal data and actions on the data. Personal data could be medical history of a patient, financial records of a bank customer, tax information of an individual or a company, photos and private chat conversations etc. Even with the effective security measures in place, there is no guarantee for users data privacy when it is outsourced. In this scenario, one possible solution to protect data privacy is to encrypt data and carry out tasks on the encrypted data.

14 | APSM Asia Pacific Security Magazine | Issue #50

•

As pointed out in the introduction, delegation of computations on encrypted data to the cloud service provider. Users of cloud computing services may also not want the service provider to know about their queries to the cloud (that has data). The solution in this context is to encrypt queries to the cloud and allow the cloud to process the queries and return encrypted results. For example, a person looking for directions to drive to a particular geographical location may not want his map search engine server to know about his location and the place he is planning to go to. Therefore, he encrypts his query and sends it to the server which applies it to the data and returns the direction in encrypted format to the client who decrypts it. As a relatively less complex function (in terms of the amount of data that has to be handled on the server), consider an ornament designer who would like to retrieve interesting design patterns for an ornament from a well-known pattern server that maintains an array of patterns that are indexed by numbers. The designer may not want the server to know what patterns he is looking for in the database so that no information about the design patterns is leaked to the server or anyone. In this case, the designer encrypts the array index and sends it to the server which responds with the encrypted pattern without actually knowing which pattern was encrypted. Organisations that rely on Big Data service providers that offer data analysis services for their business (for example, health care, retail and E-commerce, automotive sector), may also do not want these service providers to know about their data.

Homomorphic Encryption A homomorphic encryption scheme allows operations such as addition and multiplication on encrypted data such that the resultant encrypted data when decrypted produces plain data that is equivalent to the result of a computation on the

Big Data

original plain data. If E is a homomorphic encryption scheme and a and b are plain data inputs to E then the homomorphic property is defined by E(a) . E(b) = E(a*b) where * and . are some mathematical operations. That is, anyone (for example, cloud server) that has access to E(a) and E(b) can compute E(a) . E(b) to find the encryption of a*b without knowing a, b and the secret key of E. The idea of homomorphic encryption and its necessity were nearly as old as the invention of RSA encryption algorithm. The original unpadded RSA and ElGamal encryption schemes have a built-in multiplicative homomorphic property where both . and * is a multiplication operation. Paillier is another popular encryption scheme for which multiplying two encrypted data corresponds to encryption of addition of two plain data. Since such designs do not support homomorphic property over both multiplication and addition operations they cannot be used to carry out all computations and, hence they are called partial homomorphic encryption schemes. If a scheme can support both addition and multiplication then other functions can be written in terms of these operations. Such a scheme was an unanswered puzzle among cryptographers for thirty-one years since the invention of RSA. The possibility of designing homomorphic encryption mechanism that supports arbitrary operations was first shown by Gentry. Such a scheme is called fully homomorphic encryption (FHE) scheme. Improved research in the last few years led to the design of conceptually simpler schemes. Typically, the design of FHE schemes first involve the design of somewhat homomorphic encryption (SWHE) schemes. An SWHE algorithm supports only few computations on the encrypted data although it can support both addition and multiplication operations. FHE schemes can be designed in the form of both symmetric-key and asymmetric-key schemes. In a symmetric key encryption scheme, the key generation algorithm generates one key that is used for both encryption and decryption whereas for an asymmetric-key scheme, it generates two keys; a public key for encryption and a private key for decryption. The security of FHE schemes rely on solving some hard mathematical problem. From an abstract view, designing a FHE scheme has two steps. Let f be a function that needs to be computed on the encrypted data. For example, this f could be searching a database using an encrypted query or computations on encrypted data in the cloud. 1. Express the function f as a Boolean circuit (that is, binary gates). A Boolean circuit is a diagram that implements AND, OR and NOT operators on input bits and produces output bits. These Boolean operators form a universal basis, with which every function mapping from input to output can be implemented by a Boolean formula. 2. The next step is to design an encryption scheme that supports additions, multiplications and subtractions. Therefore, if there is an encryption scheme in which one could do these computations bit by bit then any function f can be computed by expressing it as binary gates in these operations.

Possibility vs Practicality While it is possible to design and implement secure FHE schemes, as of now this technology is slow. One significant reason is that each bit instead of a block of bits is encrypted and each encryption would result in large encrypted data and operations take place on this large encrypted data. Fujitsu Laboratories Ltd has recently improved this design feature by designing a scheme that can encrypt a group of bits. The other major limitation of FHE is that since the cloud server does not know anything about the operations, for some computations such as searching for an encrypted query against a huge encrypted database, the server would return information of every record (that is, both matching and non-matching records) in the database. Thus, the onus would be on the clientâ&#x20AC;&#x2122;s machine to decrypt all these records when actually the cloud server was supposed to have solved the task. Recent work shows that with a functional encryption scheme it is possible, although impractical, for the cloud server to return only exact matches for the encrypted query. One interesting application of functional encryption is the possibility of software obfuscation where it is possible to encrypt software but still be able to execute and run it. While this is interesting, it could also bring (when it practical) potential disaster for anti-virus research or any type of malware detection based protections as attackers can obfuscate harmful code that could be hard to analyze.

Conclusion Invention of homomorphic encryption is one of the great advances in cryptography. Simple functions seem to be efficiently implementable with SWHE schemes and researchers are hopeful that the FHE technology would become practical at some point of time. It is a worthy research topic as it leads to developing ideas towards efficient and secure designs as well as to optimised implementations of these designs. About the Writer Praveen Gauravaram is an Associate Consultant conducting scientific work and consultancy in cryptology and information security at Tata Consultancy Services Limited, India. Prior to this he held postdoc research fellow and research associate positions at Danmarks Tekniske Universitet (DTU), Denmark and Queensland University of Technology (QUT), Australia respectively. Since he has started his career as a PhD student at QUT in 2003, Praveen has published several research articles in cryptographic hash functions. Article acknowledgements and references are available on request.

Issue #50 | Asia Pacific Security Magazine APSM | 15

Feature Interview

Cornerstone Alliance in the Asia Pacific Australia is a nation that remains inextricably linked to the dynamic Asia Pacific region. In an exclusive APSM interview, Sergei DeSilva-Ranasinghe spoke to former and Australia’s 25th Prime Minister, John Howard, who recounted key regional dilemmas during his term in office with East Timor and Indonesia, and expressed his views on the future of Australia’s ties with both countries. By Sergei DeSilva-Ranasinghe APSM Correspondent

He also shared his frank thoughts on the consequences for Australia-China relations, the US rebalance to Asia and the future challenges to Australian foreign policy, and finally, the legacy of his decisions in Australian strategic policy.

iven the Asia Pacific focus of this conversation, let me start by asking you about the East Timor intervention. Your support for East Timor’s independence was one of the high points of your prime ministership. Upon reflection, how do you view the implications of your decision? Our involvement there was one of the noblest things that Australia has done internationally in decades. It was the right thing to do to change our policy. We did it at the right time and we had a most effective military intervention that was extremely well led by General Cosgrove. It did far less damage to Indonesia than it might have done, given that there was an element of humiliation for Indonesia involved in what happened. The co-operation that we were able to get from neighbouring countries with the intervention force was a tribute to the enhanced respect with which Australia is held in our part of the world. I see it overwhelmingly as

“East Timor does have assets that other emerging countries do not have, which actually creates a much greater obligation not to squander the advantages that they can bring. I am hopeful for East Timor’s future.”

a very proud thing that we did. Any such operations are fraught with risk. It worked very well, but if an Australian patrol had been ambushed by a rogue militia element, then the whole complexion of the mission and the attitude of the public back at home would have been quite different. We helped to produce an East Timor that has had a better start than most other countries with a population of about a million because it has got access to resources and, in that sense, the onus is now on the East Timorese not to squander that advantage. East Timor does have assets that other emerging countries do not have, which actually creates a much greater obligation not to squander the advantages that they can bring. I am hopeful for East Timor’s future. I worry about some of the fits and starts, but you have to accept that with any emerging country. In some ways the ADF was clearly ill-prepared for the East Timor mission. At the time, what were the immediate lessons you learnt from the experience? Both the ADF and the Government at the time knew just how stretched our military was in mounting that operation and it certainly had a big impact on me. I went from a position of saying, ‘No further reductions in defence spending’ – a rather mild consolation, really – to a situation where my Government significantly lifted baseline spending and continued to do so for the whole time that we were in Government. That operation put an enormous strain on us and it brought home to me, in particular, and to others in

Read More >> 16 | APSM Asia Pacific Security Magazine | Issue #50

28 - 31 October Gold Coast, Australia gartner.com/au/symposium

The World’s Most Important Gathering of CIOs and Senior IT Executives Early Bird: Save $500 when you register now* Leading in a Digital World • Gain the vital edge required to develop as a leader in a digital world • Recognize which megatrends, innovations and technologies will impact your IT strategy, including the Nexus of Forces - social, mobile, cloud, information • Capitalize on leadership, innovation and investment opportunities for CIOs • Confirm the strategic IT direction of your company

*Early Bird Discount ends 30 August

Premier sponsor

International

Fighting for the future of Brazil In just two decades Brazil has swung from a country on the brink of poverty to a boom nation. Yet hundreds of thousands of people have taken to the streets. What happened to the fun-loving postcard Brazil?

By Adeline Teoh APSM Correspondent Main Photo by Adeline Teoh

or a country of almost 200 million, Maracana Stadium is small. The Melbourne Cricket Ground may dwarf its capacity of 78,000, but the newly renovated soccer venue in Rio de Janeiro has already become a big icon of modern Brazil. It started in early June 2013, when some 65,000 residents of Brazil’s largest city, Sao Paulo, demonstrated against a R0.20 (10c) rise in bus fares. By the end of the month, 800,000 protesters – more than 10 times the capacity of Maracana Stadium – had openly shown their dissatisfaction with President Dilma Rousseff ’s government. In addition to the price rise for public transport, lack of investment in infrastructure, health and education were among the issues the rally fronted, these basic needs seemingly pushed into the shadows as money poured into hosting the 2014 FIFA World Cup and the 2016 Olympic Games. For the South American giant, now the sixth largest economy in the world, the blow to its global reputation will sting for some time yet. The demonstrations captured previously private sentiment in a very public way, says Dr Zuleika Arashiro, lecturer in Politics and International Relations at Australian National University. “Most people I’ve spoken to in Brazil are surprised. They didn’t realise that the discontent we discussed at dinner tables and with friends was so generalised.” Arashiro, who has lived in Australia for seven years, recently returned to her native country for a year, where

she sensed discontent. “There was a big gap between what people outside said Brazil’s potential was and what I was experiencing in Sao Paulo last year. There was something happening there already, not only in Sao Paulo but around the country.” This gap is where the complexity lies. Brazil is a nation of extremes. There is extreme wealth, and there is extreme poverty; high taxes but corruption from the top down, preventing proper investment of public money for public good. Marcelo Armstrong, who runs Favela Tour, which gives tourists a glimpse of Rio de Janeiro’s shantytowns, agrees. “This is the Brazilian paradox. We pay too much and get too little; 40 percent [tax] is taken out and 15 percent is invested back, where does the rest of the 25 percent go? Bureaucracy, stupidity, corruption, administration. The administration thinks about what it can do for itself, its own interests. This corrupts the whole system.”

Symptoms of Democracy Unlike the unrest in London a year prior to the 2012 Olympic Games, the protests in Brazil are largely peaceful demonstrations rather than riots, which makes all the difference. “That’s the advantage of democracy,” says Arashiro. “This is not coming through the international media. You cannot understand what’s going on now without

Read More >> 18 | APSM Asia Pacific Security Magazine | Issue #50

2nd Annual

CISO

Asia Summit

12 November 2013 The Royale Chulan Hotel, Kuala Lumpur, Malaysia

Bringing CISOs together to create InfoSec Strategies for now and the future!

Plus! 2 PRE-SUMMIT WORKSHOPS on 11 November 2013

The 2nd Annual CISO Asia Summit is an elite gathering of senior information security,

Your distinguished chairperson:

risk and compliance professionals across Asia

Steve Durbin Global Vice President The Information Security Forum (ISF)

Pacific. Join regional and international security practitioners from global organisations to discuss today’s hot topics in a 5-star conference venue. For sponsorship, registration and

speaking opportunities, contact MISTI quoting

‘EMPH5370-APSM’ at: cisoasia@misti.com

Featured speakers: Chin Kiat Chim Head of Information Security DHL

Erison Hek Oktavian Chief Information Officer PT Media Nusantara Citra Tbk

Dan Duplito Chief Information Security Officer Philippine Savings Bank

Muhammad Saleem Chief Information Security Officer Ministry of Health

Murari Kalyanaramani Global Head of Service Architecture & Integration British American Tobacco

Mike Usher Director of Information Risk Prudential

Ashish Chandra Mishra Chief Information Security Officer Tesco HSC

Co-organized by:

Endorsed by:

Dr. Amirudin Abdul Wahab Chief Executive Officer CyberSecurity

In conjunction with:

Supported by:

Media partner:

Find out more at

www.cisoasiasummit.com www.mistiasia.com +852 2520 1481

National

Thankyou... Speech by Paul McClintock

Security professionals work around the clock to protect Government organisations, businesses and homes. They are faced with making decisions instantaneously to save lives, possessions and property while putting their own life at risk. On the other side of the security coin are the other security professionals such as managers, Government advisors, and consultants – and they are seldom on a day to day basis rewarded for their actions. The Australian Security Medals Foundation is about honouring security personnel who are often unsung heroes and about changing perceptions of the industry.

t the Australian Security Medals Foundation awards’ night earlier this year, Paul McClintock AO FAICD, gave a speech. McClintock is Chairman of Thales Australia, Myer Holdings, I-MED Network and the Institute of Virology. His former positions include Chairman, Medibank Private (Australian Government); Director, Perpetual; Chairman, Council of Australian Governments Reform Council (Australian Government); Cabinet Secretary (Australian Government). Chairman of the Expert Panel of the Low Emissions Technology Demonstration Fund, Affinity Health, Ashton Mining, Plutonic Resources and the Woolcock Institute of Medical Research; Director of the Australian Strategic Policy Institute, and Macquarie Infrastructure Group; a Commissioner of the Health Insurance Commission and a member of the Australia-Malaysia Institute Executive Committee. He has flawlessly moved between business and Government and is highly regarded in the security industry. With appreciation to Jason Brown, Foundation Chairman and in recognition of the Australian Security Medals Foundation, we present McClintock’s speech:

Thank you….My friend Phillip Ruddock, Deputy Commissioner Nick Kaldas, distinguished guests. So may I begin by extending my own congratulations to all the medal winners, not just for their inspirational work, but for giving me the theme for these remarks. The challenge of a secure Australia has changed in recent years (as we heard from Phillip earlier) and this in-turn has changed the role, and the importance, of the security industry. We all remember where we were on September 11 – I was sitting up in bed with a house packed up to move the next day, and watching West Wing as we saw the planes hit the buildings. I was the Cabinet Secretary, and as it dawned on us what had happened, Elizabeth [my wife] remarked that she knew I wouldn’t be around the next day to help with the move. And I wasn’t. The world did change, sadly, and security moved to the centre of the national agenda – where it remains today. Many other factors have been added to that momentum, including some of the issues Phillip dealt with in his time as a Minister – and almost every week one of my companies deals with cyber challenges driven by serious espionage, national or commercial, or mindless vandalism. Security is no longer an optional add-on in national or commercial life – it is essential.

20 | APSM Asia Pacific Security Magazine | Issue #50

October 11th, IAI Heron I flight demonstration October 10-11, Avenue, Air Port City, Israel

2013 IsraelDefense Conference on Unmanned Vehicles in a Complex Environment

"WE STAND AT THE DAWN OF A NEW AGE FOR THE FIELD OF UNMANNED SYSTEMS, ONE WHOSE PRIMARY CHARACTERISTIC IS THE COMPLEXITY OF THE OPERATIONAL ENVIRONMENT." Among the speakers and lectures:

About the conference: The second annual UVID conference comes in the wake of the considerable success of the 2012 UVID conference, which saw the participation of more than 1,000 guests from 19 countries, who toured in nearly 40 exhibition booths. The theme of this year's conference is 'unmanned systems in a complex environment'. The conference will also include a comprehensive exhibition and live demonstrations of unmanned systems produced by leading industries in the field. The conference aims to consolidate a strategic-systemic situation picture of the field of unmanned systems. It will unify leading elements from Israel and from around the world, which will present the concepts, challenges, defense and commercial aspects and the ground-breaking technologies in this field, while touching on future development trends. Participants will have a unique opportunity to exchange ideas and information, to establish an active and productive community of unmanned systems persons in Israel and around the world.

Brig. Gen. (Res.) Ophir Shoham Head of the Directorate of Defense Research & Development (DDR&D), Israeli Ministry of Defense Preserving Israel's Technological Superiority in Unmanned Systems Maj. Gen. (Res.) Eli Marom Former Commander of the Israeli Navy Operation of unmanned systems in naval combat and in defending economic waters

Maj. Gen. (Res.) Tal Russo Former Head of IDF Southern Command Operation of unmanned systems for protecting borders and in land combat

Maj. Gen. (Res.) Ido Nehushtan Former Commander of the Israel Air Force Operation of unmanned systems in the air campaign and in combat participation

Sponsors include: Col. (Res.) Dr. Gabi Siboni Manager of the military and strategy program at the Institute of National Security Studies The operational scenario in joint combat as a leading element in the development of concept and technology Alon Unger Chairman of the UVID conference A leader and expert in the Israeli unmanned systems community

T: +972-74-7031211 | F: +972-9-7671857 | E: info@israeldefense.co.il | W: www.israeldefense.com FOR MORE INFORMATION:

Women in Security

A rose without a thorn From a graduate preschool teacher to media and communications, there is no doubt that Christina Rose has travelled an incredibly diverse path to get to her current position as Assistant Director Office of Transport and Security, withinthe Department of Infrastructure and Transport. By Kema Rajandran APSM Correspondent

fter the ACT Government closed 27 schools in the early ‘90s, Christina completed post-graduate studies in media and communications. This led her to work within the Australian Public Service where she managed a number of graduate and senior executive development programs and initiatives. From there, she moved into a policy and program management role with the National Office of Local Government and her curiosity stirred while wearing a hard-hat working on the Sydney Airport Noise Amelioration Program and putting in the foundations for the Adelaide Program. “I was part of the team which in December 2009, delivered the Aviation White Paper which was [the] Government’s first consolidated forward-looking policy statement and I have been associated with aviation security matters within the department for some years now,” she says. To complement her new career path, Christina commenced graduate studies in terrorism, safety and security this year and is currently the lead policy officer charged with designing the delivery and implementation of the Australian Government’s new training regime for passenger screeners at Australian airports. “This initiative was borne out of the December 2009 Aviation White Paper and harnesses mechanisms within the whole-of-government Vocational Education and Training system, ensuring the critical element of ‘national consistency’

in training outcomes is achieved.” While some may give credit to a standout colleague they’ve met along their career path, Christina observed many colleagues she admired and tried in some small way to emulate their behaviours in the workplace and is now utilising those skills as a mentor to others. “I am a mentor as part of the iLead Talent Exchange initiative. This initiative has proved a true gift in that I’ve had the opportunity to spend time with a young, female security officer working at the Sydney Opera House, along with some of her peers and also a number of inspirational leaders across the security sector.” Christina’s path, however, isn’t just a reflection of those she has emulated. Many years of hard work, commitment and dedication to each assignment has led her to some groundbreaking projects. “The week of September 11 2001, was also the week Ansett collapsed here in Australia. I was immediately drafted onto a four-person War Risk Indemnity Taskforce charged with working out how we, in concert with the rest of the world, would make sure aircrafts would remain flying and the industry solvent. “The Australian Government indemnified the industry to the tune of many billions of dollars and our taskforce was disbanded when we achieved this outcome; this took seven months.”

“The week of September 11 2001, was also the week Ansett collapsed here in Australia. I was immediately drafted onto a fourperson War Risk Indemnity Taskforce charged with working out how we, in concert with the rest of the world, would make sure aircrafts would remain flying and the industry solvent. Read More >> 22 | APSM Asia Pacific Security Magazine | Issue #50

2nd World BORDERPOL Congress 3rd-4th December 2013 Central Hall Westminster, London, UK The event not to be missed. Register Today at www.borderpol-event.org

Keynote Speakers

Exhibition Hours Tuesday 3rd December 9.30am - 7.00pm

(including Networking Reception)

Wednesday 4th December 9.30am - 5.30pm

Exhibition only is free of charge to attend for trade

For a list of exhibitors and to register online to attend visit www.borderpol-event.org

Mark Harper MP Minister of State for Immigration, UK

Sir Charles Montgomery Director General, Border Force , UK

Agenda Highlights TUESDAY 3RD DECEMBER

9.00am - 10:00am 10:30am - 11:30am 11:30am - 12:30pm 2:00pm - 3:00pm 3:30pm - 4:30pm 4:30pm - 5:30pm 5:00pm - 7:00pm

Opening Keynote Session Lessons Learned from Integrated Border Management Agency and Industry Workshops (check website for details) Facilitation of Low Risk Travellers Agency and Industry Workshops (check website for details) Changing Patterns and Trends in Cross Border Crime Networking Reception in the Exhibition Hall

WEDNESDAY 4TH DECEMBER 9:00am - 10:30am 11:15am - 12:30pm 2:00pm - 3:30pm 4:00pm - 5:15pm

Difficulties in Securing Borders Against Organized Crime and Concealed Human Trafficking Agency and Industry Workshops (check website for details) Innovations and Future Technologies for Border Control Agency and Industry Workshops (check website for details)

If you are a Border Agency, then we have a great package deal, making your attendance easier and more cost effective. Visit www.borderpol-event.org for more details. Hosted by:

Knowledge Contributor:

Supported by:

Other speakers include: • Mandie Campbell, Chief Operating Officer, Border Force, UK • Dave Wood, Director General, Immigration Enforcement, Home Office, UK • Henrik Nielsen, Head of Unit, Border Management and Return, Home Affairs, EU • Clarence Yeo, Commissioner, Immigration and Checkpoints Authority, Singapore • Ms Giselle Vas, Director General, Border Police Force, Hungary • Michael O’Connell, Director of Operation Police Support and Chairman of INTERPOL Integrated Border Management Task Force, Interpol, France • Greg A. Haase, BG (Select), MNANG, Director, US Joint Interagency CounterTrafficking Center, Germany • Penny Satches-Brohs, Senior Border Issues Advisor, Head/Borders Unit, Transnational Threats Department, OSCE, Austria • Mika Poutiainen, Head of Vaalimaa Customs, Finnish Customs • Erdal Duzdaban, Border Management Officer, OSCE Office in Tajikistan • Commodore R.S. Vasan (Ret’d), Head, Strategy and Security, Centre for Asia Studies, India • Serge Rinkel, Director Programs and Services, BORDERPOL, France • Col. Gábor Kovács PhD, Hungarian National Police and National Public Service University, Hungary • Tony Smith, Managing Director, Fortinus and former Director General, Border Force, UK

Cyber Resilience

BIG DATA TRANSFORMS SECURITY

An increasingly networked world is breeding a new crop of cyber criminals who are getting cannier in staying beyond the pale of the law.

By Sarosh Bana APSM Correspondent

rthur (Art) Coviello, Jr, the widely acknowledged sage of cyber security, says that while cyber criminals are forever plotting new ways to infiltrate online and wireless systems across the world, intelligence-driven security strategies that use the power of Big Data analytics will help security practitioners regain the advantages of vigilance and time to better detect and defend against advanced threats. In his opening keynote address on ‘Big Data Transforms Security’ at the Marina Bay Sands Convention Centre in Singapore, Coviello, the Executive Vice President of EMC Corporation and Executive Chairman of RSA, EMC’s security division, discussed the ways Big Data was transforming the security industry, information technology, business and society. He pointed out that while the richness and variability of the prodigious unstructured data being mined provided great opportunities for business and society, they also provided new attack vectors for adversaries. He reassured, however, that new tools and techniques were coming online to analyse all of this data. “It won’t be long before Big Data applications and stores become the ‘crown jewels’ of an organisation,” he stressed. “And those crown jewels will be readily accessible in the cloud and via mobile devices across our hyper-connected enterprises

– and not just by us, but by our adversaries as well.” Both EMC Corporation and RSA are headquartered in Massachusetts, with offices across the globe. Consolidated revenues were $21.71 billion in 2012 – $11.51 billion of this from the US and $3.02 billion from Asia-Pacific – with RSA’s sales totalling $888.7 million. The companies do not divulge country-wise earnings. A leader in cloud computing, EMC customises products and services for IT departments to store, manage, protect and analyse their most valuable asset – information – while RSA provides security, risk and compliance management solutions. Held annually in San Francisco since 1991, the RSA Conference launched its annual edition in Singapore with a two-day event that drew 1,700 security vendors and operators, and public and private sector representatives from throughout the Asia Pacific region. Its theme, Security in Knowledge – Mastering Data, Securing the World, witnessed discussion round security issues from both a global and Asia Pacific perspective. A collaboration between RSA Conference, the Safety and Security Industry Programme Office (SSIPO) and the Singapore Tourism Board, the RSA event in Singapore had 50 sessions spanning the five tracks of Cybercrime and

Read More >> 24 | APSM Asia Pacific Security Magazine | Issue #50

Issue #50 | Asia Pacific Security Magazine APSM | 25

Special Feature - Access Control

In the protection

Z NE

26 | APSM Asia Pacific Security Magazine | Issue #50

The Australian Federal Governmentâ&#x20AC;&#x2122;s Protective Security Policy Framework states that each agency is responsible for its own access control, but what does this mean in the context of different Government organisations?

Special Feature - Access Control

S By Adeline Teoh APSM Correspondent

wipe cards, boom gates, visitor logbooks – these are all methods an organisation will use to prevent unauthorised entry into a building. No one element is much use, however, without a risk-aware approach to access control. For, as anyone who has ever politely held a door open for the person behind knows, it’s easy to be an unwitting weak link in the security chain. Access control is a system of measures that allows authorised access to assets – of a personnel, physical or informational nature – while impeding others. The key is the balance between making it easy enough for authorised staff to go about their legitimate business while denying admittance to undesirable parties. According to the Federal Government’s Protective Security Policy Framework (PSPF), access control systems should provide identity validation by using authentication factors of: • • •

What you have – keys, ID cards, passes, etc What you know – PINs, etc Who you are – visual recognition, biometrics, etc.

Redefining security zones The PSPF came into effect on 31 July, 2013. Essentially, apart from a few changes regarding definitions, the framework is no stranger to the security principles laid out in its predecessor, the Protective Security Manual (PSM). What were previously layers of secure areas are now ‘zones’, with each zone defined in terms of its accessibility. Agencies already compliant with access control principles in the PSM will see little difference with the PSPF, states Mark Jarratt, SCEC Security Zone Consultant at Norman Disney & Young. “In terms of the implementation and the framework, the majority of agencies would not have to change much at all in terms of their access control policies. If they have already met the minimum standard – which used to be called ‘intruder resistant area’, now called ‘Zone 2’– they would not have to change anything. The actual security treatments are identical.” Tony Haddad, Consulting Security Adviser at Security Advisers Australia, says the framework has helped support some aspects of the manual. “Some agency security advisers and consultants had varying levels of understanding and what this does is clarify what the Government expectations really are.” He agrees that while there have been some changes to language, ‘the principles are the same’. Therefore agencies that had a suite of documentation to address their security

obligations under the PSM simply had to modify them to address the requirements of the PSPF. “Some agencies had complied with PSM and therefore compliance with the PSPF wasn’t too hard. It was a matter of making minor adjustments to their existing documents.”

Agency-led risk management While the security principles have not changed, the manner in which agencies implement the protection of these zones represents a big shift. Compared with the PSM, the framework has changed emphasis from prescriptive to risk-based, which means the way security advisers within agencies deal with access control will vary according to the risk profile of the organisation. The framework covers this using business impact levels with the top three levels focused on risks to the nation and the lower three levels focused on the risks to the agency. “These can marry up quite easy to a risk management framework consequence table which puts it into a system that can assist with the identification of appropriate physical security depending on the level of business impact to the organisation,” says Haddad. Dr Kevin Foster of Foster Risk Management notes that the framework fits with ISO31000 Risk Management by focusing on objectives. He says that while some agencies may have struggled previously with the integration of their security strategies into their enterprise risk management strategies the PSPF should facilitate better integration, though mentions that some agencies will find it challenging to redefine business impacts in enterprise risk management frameworks. Jarratt says the problem with an agency-led model is that there are some organisations that are not as mature in their risk approach as others, leading to inconsistencies in expertise and resource allocation. “There are some who take it very seriously and it’s embedded in their organisational culture, like the Australian intelligence community agencies, the defence related agencies and the law enforcement agencies. “For some of the others, they want to be able to tick the box to get the auditor off their back rather than have a cohesive integrated security management regime. They view security as a corporate overhead and a cost that they could cut rather than a cost of doing business without disruption, catastrophe harm, attack or danger.” As a result, less mature agencies use the discretion allowed in terms of procurement for zones 1-3 to select security devices in line with comparatively smaller security budgets. Haddad says this allows for a fairer ‘horses for courses’ approach. “Various agencies will apply various

“In terms of the implementation and the framework, the majority of agencies would not have to change much at all in terms of their access control policies. If they have already met the minimum standard – which used to be called ‘intruder resistant area...”

Issue #50 | Asia Pacific Security Magazine APSM | 27

Special Feature - Access Control

budgets depending on their risk appetite and the profile of their agency identified through a protective security risk assessment to ensure risks are being treated in the most cost effective manner.” There are risks in that approach too, adds Foster. “New approaches to access control are coming to market and agencies need to understand how these may be utilised but at the same time understand what vulnerabilities may be introduced. Not all locks are equal in security strength and not all electronic access control products are equal either.”

Not just barriers Access control is not just about equipment; there is a clear behaviour management piece too. If the balance is tipped too far in favour of serving the ‘guards, guns and gates’ mentality it will impede authorised work and agencies can find their own staff undermining the process, says Jarratt. “You don’t want to have security access measures that are so difficult to comply with that people will try to deliberately defeat them, or they affect your business because they delay people doing legitimate work.” The most cost-effective security is a security aware workforce committed to security measures and to protecting enterprise assets, he states. “If you can create an environment where the employees support your business because they realise the value of security, it’s a force multiplier. High trust organisations work better for less cost than low trust organisations, which can cause security issues because people are less likely to report incidents – they won’t have a shared sense of responsibility.”

The need for qualified security practitioners Another factor of access control is the decision making process regarding equipment, training and communication. Less mature Government agencies either do not have dedicated security or risk management practitioners or the people in these roles have little experience in dealing with enterprise level security risk, exposing access control projects to poor decisions. “If they don’t have experience in risk analysis, they can sometimes be uneasy about the uncertainty that that creates when selecting security measures,” says Jarratt. Haddad believes that in addition to specific security qualifications for particular disciplines it would be ideal for government security practitioners to have an overarching PSPF qualification. “Most practitioners have the capability and capacity to make informed decisions about risk and security, certainly those who’ve completed a Certificate IV in Security Risk Management, but an overarching course would be beneficial to all involved. It would provide a good insight into the governance requirements of the PSPF, the intent and how it applies to different agencies.” Foster recommends that Security Construction and Equipment Committee (SCEC) endorsed security zone consultants should at least have a reasonable understanding of the security engineering aspects of the zones defined in the PSPF, although he admits this does not necessarily mean they can assess the effectiveness of protective security governance

28 | APSM Asia Pacific Security Magazine | Issue #50

arrangements, management protocols, policies, or procedures. “Security in an agency needs to be holistic and multidisciplinary in nature,” he says. “I expect many consultants and agency security advisers need to be better qualified in risk analysis and risk management. Perhaps there should be a scheme to approve security risk management consultants that advise Australian Government agencies.”

The consequences of non-compliance The Attorney-General’s department expects all agencies to file a compliance report by the end of August, 2013. At worst, non-compliance will see the organisation criticised in Parliament. Jarratt believes the Attorney-General’s department will be more constructive, however. “[It] has more of a ‘we would like to help you achieve this’ approach.” Security conscious agencies have already complied. It is the less mature organisations that will need help, either through waivers or extensions. “Non-compliance with the PSPF, depending on the agency and its risk profile, may or may not result in an introduction of risk to that agency,” Haddad says. “Agencies that are non-compliant are expected to identify what risk that non-compliance presents and identify appropriate mitigation strategies.” They also have an obligation to inform other agencies of their non-compliant status, he underlines. “The intent of the PSPF is to make it risk-based, so if there is a risk when you’re sharing information with other agencies you should let them know, not to mention that with a couple of agencies it’s mandated that they be informed.” For full details of the PSPF, visit www.protectivesecurity. gov.au. (Access control is covered in section 5.5.). From top to bottom Mark Jarratt - Norman Disney & Young Dr Kevin Foster - Foster Risk Management Tony Haddad, - Security Advisers Australia

“Most practitioners have the capability and capacity to make informed decisions about risk and security, certainly those who’ve completed a Certificate IV in Security Risk Management...”

17-18 September 2013 | Grand Hyatt Melbourne Gran

IN COLLABORATION WITH

SSQI, in collaboration with the Software Engineering Institute, Carnegie Mellon and the CMMI Institute, powered by Carnegie Mellon, would like to extend an invitation for you to participate in the Improving Systems and Software Engineering Conference (ISSEC), collocating with the 10th Annual Project Management Australia (PMOz) Conference, being held in at the Grand Hyatt Melbourne, 17-18 September 2013. ISSEC 2013 is back stronger than ever! The 2013 program has been updated to deliver enhanced learning opportunities for everyone backed up with our renowned networking and social program. ISSEC is designed to make tailoring your learning experience easy; every presentation has defined learning outcomes published on the 'Theme and Announced Speakers' page. This means busy individuals can focus on the stream most directly relevant to their career development, or pick and choose presentations and workshops from across the program, as well as including any of interest from the conjoined Project Management Australia Conference (PMOz). Some of the highlights from this year’s program include plenary presentations from leading academics and corporate executives. Stream sessions include case studies and ‘how to’ papers from practitioners, research papers, and industry papers focused on specific techniques. The problem for most people will be deciding which sessions to attend, and which sessions to review afterwards by downloading the presentations from the Conference website.

CONFERENCE FEATURES Gran

KEYNOTE: DR PAUL NIELSEN SEI, CARNEGIE MELLON

KEYNOTE: JOE JARZOMBEK DEPT OF HOMELAND SECURITY

KEYNOTE: KIRK BOTULA CMMI, CARNEGIE MELLON

KEYNOTE: PROF. HEINDRICH SCHMIDT RMIT

INTERACTIVE SESSIONS OVER TWO DAYS

REGISTRATIONS NOW OPEN

ENHANCED LEARNING OPPORTUNITIES

FLEXIBLE REGISTRATION RATES

TechTime - latest news and products

IndigoVision releases new 5 Megapixel camera The new IndigoVision 5 Megapixel (5MP) camera range has arrived. The cameras are available in Bullet, Fixed, Minidome and Microdome form factors. IndigoVision cameras include SD, HD 720p, HD 1080p, 2MP and with the new 5MP range there are more than 50 cameras giving more choice than ever before. Delivering amazing image quality, significant storage cost savings, all with the benefits of IndigoVision’s unique Distributed Network Architecture (DNA). Highlighted benefits are: • Amazing Picture Quality: IndigoVision use a 1/2.5” sensor for high performance delivering sharper images, wider field of view, superior low-light and wide Dynamic Range (WDR) performance. • Lower Bandwidth: IndigoVision 5MP cameras use an average of only 4Mbps for 12fps video compared with a typical 8Mbps from competing 5MP cameras — the more cameras, the more days of storage, the greater the cost saving. • Completely Distributed: The use of a centralised management server in surveillance systems can create a single point of failure which places fundamental limitations on scalability as well as increasing total system cost. The IndigoVision 5MP camera range has been developed using IndigoVision’s unique Distributed Network Architecture

(DNA), removing the requirement for a management server. IndigoVision’s distributed architecture is achieved through design within IndigoVision’s Network Video Recorders and award winning video management software, Control Centre. • Totally Integrated with IndigoVision’s Control Centre: The IndigoVision 5MP camera range is optimised to work with Control Centre SMS4, giving true end-toend benefits and peace of mind through trusted compatibility and unlimited viewing

of live and recorded video. • Reduced Total Cost of Ownership: Advanced H.264 compression cuts storage costs; distributed Network Architecture (DNA) removes the need for expensive management Servers; and Control Centre’s client licence-free price model reduces software management costs. Visit www.indigovision.com to learn more about the new IndigoVision 5MP camera range, including real 5MP images demonstrating the amazing image quality.

IndigoVision launches GAI-Tronics Integration Module IndigoVision has launched GAI-Tronics Integration Module, enabling alarm data to be seamlessly integrated between GAI-Tronics VoIP devices to IndigoVision’s video security solution. The IndigoVision GAI-Tronics Integration Module allows events and alarms from GAITronics VoIP devices to automatically trigger live video or move PTZ cameras, within Control Centre, IndigoVision’s software user interface, trigger recordings and send notification emails. Alarm information is delivered to system security operators in a single, unified user interface making response even easier and faster. GAI-Tronics develop specialised rugged

30 | APSM Asia Pacific Security Magazine | Issue #50

communications products, evacuation systems, intercoms and critical telecom’s equipment that are used in markets such as transportation, petrochemicals, mining and public safety. IndigoVision’s Integration Modules enable multiple third party security systems – such as access control, alarm systems and perimeter detection – to be seamlessly integrated with video security in IndigoVision’s Control Centre including Ipsotek and IceTana Analytics systems. Go to www.indigovision.com to learn more about IndigoVision Integration Modules.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

2013 SUMMIT September 12th, 2013 At Royal Holloway, University of London, UK Supported by:

Who should attend? Start-ups, aspiring cyber entrepreneurs, Industry representatives such as Acquisition, Innovation & Partnership directors, government representatives, researchers & academics and journalists

Grand Final Agenda Pitches by finalists competing in Pre-Revenue and Post-Revenue Categories Responding to our call for innovations in cyber intelligence, access & ID management and use of social media in disaster management Interactive panels on Partnering for Market Success, How to Build & Sell your Cyber Start-Up, Biggest Cyber Needs That Arenâ&#x20AC;&#x2122;t Being Addressed and Biggest Mistakes Start-Ups Make

Tickets For first time ever, free of charge! But space is limited and we reserve the right to limit number of places per company so please reserve early with sgibneygomis@innocentive.com Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

For further information, visit: www.globalsecuritychallenge.com Or email us: info@globalsecuritychallenge.com

Issue #50 | Asia Pacific Security Magazine APSM | 31

TechTime - latest news and products

Logicalis introduces five-step process for tomorrow’s workplace Corporate Australia is responding to the challenge of harnessing mobility for operational and sales productivity, with Logicalis, the international IT solutions and managed services provider, noting significant proactive demand for strategic mobility consultancy outstripping reactive demand for BYOD point solutions. To address changing customer requirements, Logicalis has outlined a five-step process to help organisations reviewing their mobility options tackle the growing opportunity and challenge of enabling employees in different departments, roles and locations to use a myriad of devices, applications, data and content securely. Devised by its experienced customerfacing solutions architects nation-wide, Logicalis’ five-step approach recognises that a successful mobile strategy allows employees to work ‘natively’ while using technology applications, devices and data for insights and automation to perform their role and meet KPIs, whether that’s measured through an increase in sales, more efficient marketing campaigns, reduced operational overheads or better customer service. Logicalis’ approach also acknowledges various stakeholders in the strategy with the user expecting an experience which matches how they like to work, the IT team expecting the solution to allow for self enrolment and onboarding of devices and the security team expecting apps and data to be delivered in a secure fashion whilst securing the network from the threats of the new devices. Management, HR, legal and IT, meanwhile, all expect the solution to be driven by tight policies while delivering tangible business value. “We’re in the business of delivering “Tomorrow’s Workplace – work being something people do instead of a place they go,” says Oliver Descoeudres, Marketing Director at Logicalis. “This means we help customers identify, implement and manage technologies that strike a perfect balance between two business imperatives; technologies that enable operational efficiency and which give people the tools they need to do their best work.” “Last year, six out of ten customer and prospect conversations were around BYOD where now easily nine out of ten people are proactively requesting strategic counsel on mobility as part of an operational productivity strategy. The focus on device ownership is somewhat misplaced given the spotlight should

32 | APSM Asia Pacific Security Magazine | Issue #50

be on the value, processes and outcomes the device and its contents actually enable, but we see that the conversation on BYOD has essentially served as an interim step to where it needs to be,” added Descoeudres. Logicalis’ five-step approach incorporates the following principles: Foundation: Strategy: The key to successful mobility is in the plan. It’s around gathering the business requirements for now and, if possible, for the next one to three years. Step one: Policy: Develop the policies needed to be able to implement a solution that will meet the business requirements. Those policies include HR, Legal, Security, and Usage. When these policies are created we can choose technologies that can deliver those policies, rather than choosing technologies and creating policies around the capabilities of the technology. Step two: Network: It all starts at the network and the aim of unified access is to transform wired and wireless networks into one converged and unified infrastructure in order to create greater simplicity, greater intelligence, operational consistency and scale, ultimately leading to greater business agility and efficiency. Step three: Devices: Securing the device consists of Mobile Device Management (MDM) technologies. MDM offers the CIO a way to address the management and control of both corporate owned and non-corporate owned mobile devices across both the main tablet platforms based on iOS and Android and a wide variety of smart phones. Step four: Apps and Data: Being able to deliver the users apps, as they want to use them, and doing so in a user-centric secure manner. Step five: Services: The services layer consists of solutions which can be overlayed on a mobility-enabled network. These consist of collaboration, Virtual Desktop Infrastructure (VDI), Bring Your Own Device (BYOD) towards the holy grail of tomorrow’s workplace. For more information visit www.au.logicalis. com/mobility

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

LEADING INDEPENDENT SECURITY CONSULTANTS

Security, Risk & Resilience Independent, Specialist, Professional

T | + 61 8 6162 9920 E | info@amlechouse.com W | www.amlechouse.com Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

PTY LTD

security & risk management specialists Issue #50 | Asia Pacific Security Magazine APSM | 33

TechTime - latest news and products

New camera platform – M15 – for MOBOTIX Based on the new MOBOTIX 5 Megapixel Technology, MOBOTIX AG has launched a new camera platform, M15. It offers two exchangeable sensor modules and further builds on the MOBOTIX innovative camera platform concept. “The M15 offers the latest in MOBOTIX camera system technology and follows a proud tradition that we started over 13 years ago with the M1 and have continued with the M10 and M12,” says Dr Ralf Hinkel, Founder and CEO of MOBOTIX AG. “We are confident that the M15 will be breaking ground in many ways; technically, as a product platform concept, design-wise and because it is developed in a unique combination between end-users and MOBOTIX.” The M15 is naturally developed around the MOBOTIX decentralised system technology which saves costs, management and network resources for the end-user. The M15 product platform offers two exchangeable 5 Megapixel sensor modules which are exactly the same modules as for the recently launched S15. “We have developed the M15 in close cooperation with our end-users and partners. Our end-users want a dynamic platform that can change with their current and future needs, and our partners want a platform for many different applications,” continued Dr Hinkel. As the sensor modules can be easily exchanged by the end-user, they will always have an upto-date camera surveillance system regardless of original mounting place and, at that time, the intended focus of that specific camera. “The end-users and our partners can today choose up to five completely different sensor combinations for this platform and in the future there will be even more,” says Dr Hinkel. By using 5 Megapixel sensors for the M15 camera platform, the users will gain more than four times better light sensitivity in all conditions. The new sensor technology offers a frame rate of up to 30 frames per second and the zoom capabilities are increased by 27 percent in colour and by more than 200 percent in black-and-white. “It is important to emphasise that the M15 is a day-and-night camera not a day/night. The difference is huge between these two concepts, the M15 sensor modules, depending on configuration, are always able to offer one day and one night image simultaneously, which is especially important in low light conditions as well as in no light,” outlined Dr Hinkel. The new M15 camera platform is IP66

34 | APSM Asia Pacific Security Magazine | Issue #50

certified and is successfully tested at a temperature range from -30 °C to +60 °C. Following MOBOTIX established product strategy, the M15 does not need any additional housing, fans, heating etc. “The user can take our new camera platform and literally install it wherever he or she wants to. We have people using our products in very extreme environments and they will be very happy with the M15,” says Dr Hinkel. The M15 camera platform only needs around 5 watt to be fully functional, which both saves costs and energy for the users. “The new M15 is marked with the MOBOTIX Green IP-Video logo for being exceptionally environment-friendly, which is a social conscience initiative that MOBOTIX have taken and I feel very strongly about,”

concluded Dr Ralf Hinkel. A special advantage: The M15 is fully integrated with the new revolutionary MxActivitySensor technology for intelligent motion detection that reduces false alarms and errors considerably. The M15 is available through authorised MOBOTIX distributors and partners.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Check Point launches 13500 Appliance Check Point has announced the launch of its 13500, the first in a new line of 13000 Appliances designed specifically to expand the company’s data centre network security offerings. The 13500 Appliance delivers blazingfast security performance with 23.6 Gbps of real-life firewall throughput, 5.7 Gbps of real-life IPS throughput and 3,200 SecurityPower (TM) unit (SPU) rating. Organisations often face the dilemma of choosing between deploying comprehensive security protections and maximising the performance of the network. The 13500 Appliance provides data centres with Check Point’s most advanced security protections, without compromises in network performance. In addition to implementing most modern hardware architecture, the 13500 Appliance leverages a wide spectrum of software optimisations and accelerations that in turn maximise hardware utilisation. Check Point’s multi-layer security protections, with four pre-defined security packages including Next Generation Firewall, Threat Prevention, Data Protection and Secure-Web Gateway are supported on the 13500 Appliance. These security packages allow for protection

consolidation per appliance, delivering better performance to protect organisations against Advanced Persistent Threats and other modern cyber-attacks. “As cyber-attacks continue to increase and evolve in sophistication, ensuring data centre security has become a top priority for customers all over the world. However data centre security should not be compromised by tradeoffs in performance,” says Dorit Dor, Vice President of Products at Check Point Software Technologies. “Our new 13000 Appliance family solves this challenge for our customers.” Key features of the Check Point 13500 Appliance include: • Boosted performance of up to 3,200 SPU • 23.6 Gbps Firewall and 5.7 IPS throughput

• • •

•

in real-life environments Connection capacity of up to 28 million concurrent connections Fully flexible and high performance hardware configuration An array of optional Network Interface Controllers (NIC), commonly shared with the 4000 and 12000 Appliance families Ease of Data Centre platform operation through advanced management solutions.

For more information on product functionality and specification, please visit: http://www.checkpoint.com/13000-appliances

Verizon builds gateway to secure Australian Federal Police’s IT systems Verizon has been selected by the Australian Federal Police to supply a managed gateway service that will boost the security, reliability and overall efficiency of the agency’s IT systems. Under the terms of the deal, Verizon will supply the AFP and its client agencies – the Australian Crime Commission, the CRIMTRAC Agency, the Australian Transaction Reports and Analysis Centre and the Commonwealth Office of the Director of Public Prosecutions – with a dual Internet gateway service. It will provide intrusion detection and firewall management, anti-spam and anti-virus management, VPN management and DOS Protection with IPv6-capable bandwidth. With management fully outsourced to Verizon, Verizon will also staff a local contact centre that will provide 24/7support. The three-year, AU$15 million ($14 million) agreement is in line with the Australian Federal Government’s gateway reduction program led by the Department of Finance. Under the program, the Government is reducing its Internet gateways to eight from 124 over four

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

years, during 2010 to 2014, to achieve a savings of AU$25 million. “The AFP congratulates Verizon on winning the tender and looks forward to a professional and constructive partnership with Verizon,” says the AFP’s former Chief Information Officer, Assistant Commissioner Rudi Lammers. In 2011, Verizon signed a five-year agreement worth more than AU$50 million ($46 million) with

the Australian Department of Defence for a fully managed, dual Internet gateway solution and professional services support.

Issue #50 | Asia Pacific Security Magazine APSM | 35

TechTime - latest news and products

Pure Hacking launches Social Media Penetration Testing and Security Review Service Pure Hacking – an Australian information security consultancy – has released a new Social Media Penetration Testing and Security Review service for enterprise to address the potential pitfalls of social media use in the workplace. The new offerings move beyond the traditional social engineering boundaries to assess the external security of the corporate social media footprint. This includes assessing credibility of content and those responsible for administrating the account across platforms including LinkedIn, Twitter, G+, Facebook, Instagram, Reddit, Myspace, Digg, Pinterest and more. Australian organisations of all sizes now rely on Social Media as a key marketing and networking tool. For large enterprise more than 79 percent have a Social Media presence, whilst 34 percent of medium sized organisations and 27 percent of small business have an established Social Media profile. However, small business is rapidly catching up, experiencing more than a 10 percent increase in the past 12 months alone (Yellow™ Social Media Report, June 2012). For Pure Hacking’s CEO, Rob McAdam, recent Social Media issues for enterprise highlight the potential lack of processes and security benchmarks for Social Media. These incidents include the hijacking of a Twitter account negatively impacting the NYSE and the refusal to return 17,000 Twitter followers in the case of PhoneDog in the USA. Fair Work Australia is also outlining that clear Social

Media policies are needed to legally manage inflammatory remarks across corporate Facebook accounts. McAdam outlined, “An organisation’s Social Media profile is often the primary face for sales and marketing operations and if managed incorrectly from a process and security perspective, it can potentially pose an Achilles heel for a business. Any security compromise or loss of control of Social Media accounts may damage your brand and impact heavily on the bottom line for both IT and marketing.” Pure Hacking has announced its Social Media Penetration Service that identifies all Social Media accounts linked to an organisation, as well as references to an organisation over Social Media networks to assess security and reputational risks. Pure Hacking’s Social Media Security Review Service performs an operational review of an organisation’s Social Media presence. This review includes determining who has access to Social Media accounts, confirmation of password policy and termination of access when staff depart, the presence

of dormant accounts and stored passwords, together with the risk awareness level of staff and tactics required to close down Social Media accounts. McAdam concluded, “Social Media is sometimes the single influencer in a purchasing decision for consumers and the integrity of the data at hand is as crucial as an organisation’s data centre. With considerable investment in Social Media from organisations of all sizes, we encourage the business owners, marketing teams, along with the IT management to professionally manage the security of their Social Media platforms.”

Saab to deliver integrated security solution for Defence Base Security in Australia Defence and security company Saab has signed a contract with Watpac Construction Pty Ltd for the installation and commissioning of electronic security systems for the Australian Department of Defence. The contract amounts to MSEK 470 and deliveries will take place 2013-2014. Watpac has been contracted as the Head Contractor by the Defence Support and Reform Group for the Base Infrastructure Works Project under the Base Security Improvement Program. This program will improve security at 16 priority defence sites. Saab is responsible to the Head Contractor for the integrated security solution based on own and third party products. Head of Saab’s business area Security and 36 | APSM Asia Pacific Security Magazine | Issue #50

Defence Solutions, Gunilla Fransson, says, “Saab is a leading provider of security systems and our solutions for managing security in complex locations and situations are well proven. We have already completed security management contracts in prisons and Australian Government facilities.” This project will be carried out by engineering staff already working at Saab’s systems integration facility at Mawson Lakes in Adelaide, Australia. Dean Rosenfield, Managing Director, Saab Systems in Australia, commented, “We have proven our readiness and reliability to meet the most stringent security requirements and are

looking forward to working with Watpac to meet Defence’s base protection needs.”

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

City surveillance market to more than double by the year 2017 The global market for electronic security equipment aimed at city surveillance applications will more than double in size from 2012 to 2017 as metropolitan areas adopt mobile technology to deal with threats more efficiently, according to a new report from IMS Research, now part of IHS Inc. (NYSE: IHS). World-wide, revenue for electronic security equipment in city security will expand at a compound annual growth rate of 17.8 percent from 2012 to 2017. By 2017, wireless infrastructure and CCTV and video surveillance equipment will amount to just over $3.2

billion, up from $1.4 billion in 2012. City surveillance is a key tool for police departments to manage metropolitan centre locations, with crime reduction typically being the main goal. Using this technology, police can access video surveillance feeds from mobile command centres when responding to an incident. This allows the police to coordinate efficient, quick responses to any event. Cities face a number of threats, ranging from the kind of widespread civil unrest that recently affected Istanbul to lone-wolf and terrorist attacks, like the recent Boston marathon bombings. These threats underscore the need to provide fast access for video surveillance systems.

across the city has increased. The mobility offered by these video systems is a key tool for police departments when managing city-centre locations. “For cities the focus has shifted from basic surveillance needs toward mobile surveillance,” outlines Bremner. “Emerging technology can send the video to police officers on the street, streaming that video directly to the smartphones or laptops in their patrol cars. Such mobile surveillance technology will act as a force multiplier for the officers on the ground.” The IHS report entitled ‘Vertical Insights – Video Surveillance and Security in City Surveillance – World – 2013 Edition’ combines feedback from end-users, integrators and

“City video surveillance systems have a key requirement to provide clear, useable images so that police departments can conduct effective investigations when needed,” says Paul Bremner, Market Analyst for Safe Cities and Security Services at IHS. “If the video surveillance system can’t do that, then it is failing in its primary purpose.” Along with fast access for video surveillance systems, the requirement to push video streams out to various individuals and organisations

consultants working within the city surveillance market. The report explores the threats faced by cities, critical success factors for security systems and the decision processes behind city surveillance projects. The report presents market sizes and forecasts to 2017 for EMEA, Asia and the Americas. It is part of a series of reports focused on six different end-user industries including banking and finance, city surveillance, critical infrastructure, education, retail and transportation.

Quantum Secure now on FIPS 201 Approved Products List Quantum Secure in San Jose, California, US, has been added to the GSA Approved Products List (APL) in the Caching Status Proxy Category. As Quantum Secure, is certified in the category with no restrictions, federal agencies choosing their SAFE for PIV Credential product will get a complete FIPS 201compliant solution within the category. “Physical security and identity management is a critical need for government agencies,” says Ajay Jain, Quantum Secure President and CEO. “Now that we have been certified as a vendor, Quantum Secure’s SAFE solution is accessible to manage this important security need for government agencies.” According to the category description, the caching status proxy is a product that periodically polls the status of all registered PIV Cards, and caches the status responses from the issuer. Caching status proxies are useful in scenarios that require extremely quick queryresponses for certificate revocation status

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

information or when physical access control systems need to cache certificate revocation information to make an access control decision when online certificate validation is not possible. The goal of the FIPS 201 Evaluation Program (EP) is to evaluate products and services against the requirements outlined in FIPS 201 and its supporting documents. In addition to derived test requirements developed to test conformance to the National Institute of Standards and Technology (NIST) Standard, the General Services Administration (GSA) agency has also established interoperability and performance metrics to further determine product suitability. A set of approval and test procedures have been developed which outline the evaluation criteria, approval mechanisms and test

process employed by the Laboratory during their evaluation of a Supplier’s product or service against the requirements for that category.

Issue #50 | Asia Pacific Security Magazine APSM | 37

By co-author Christopher Flaherty

Body Cavity Bombers The New Martyrs A Terrorism Research Center Book Robert J Bunker and Christopher Flaherty Dr Robert J Bunker is adjunct faculty with the School of Politics and Economics at the Claremont Graduate University. Dr Christopher Flaherty is an active contributor on security, terrorism early warning and related international intelligence issues.

38 | APSM Asia Pacific Security Magazine | Issue #50

n January 2013, explosive devices were surgically placed in two corpses belonging to slain police officers in Latehar, India, one of which detonated and killed four civilians, making this technique an ongoing security concern. These incidents, and many others like them during the past five years, emphasize the increasing importance of the trends and themes highlighted and analysed in the book Body Cavity Bombers: The New Martyrs. It is a serious analytical book focusing on an extreme and still emerging form of terrorism utilising body cavity bombers. If someone had suggested intentionally creating a book on body cavity bombs (BCB) ten years ago, the suggestion would have been considered ludicrous and bordering on paranoia. At best, it might have been considered one of those thousands of terrorism ‘what if ’ questions that counter-terrorism professionals beat themselves up over but ultimately recognise that available public resources cannot defend against all such contingencies. It would have been likely filed as a long shot and wild card scenario. While 9/11 changed many of our perceptions concerning terrorism and viable threats to US homeland security, placing bombs inside live human beings was still definitely not on the radar. The concept smacks of children’s science fiction from the late 1960s – such as the explosive devices implanted in enemy operatives in the Johnny Sokko and His Giant Robot television series. It is argued in the Conclusion to this book that the concept of the BCB has been regularly used as a theatrical-plot device in many popular TV shows and movies since at least the late 1960s, developing a cogent terrorist TTP (tactics, techniques, and procedures). Notional precedent notwithstanding, it was not until the first use of a BCB was recorded – by Al-Qaeda of the Arabian Peninsula in August, 2009. The book seeks to portray the fact that terrorism is evolving far quicker and more rapidly than most of us ever expected. The creation of this book is, in many ways, a saga in itself. As early as 2003, Robert Bunker’s suicide bomber research leading to counterterrorism solutions represented a considerable component of his then professional law enforcement support duties with the CounterOPFOR Program, National Law Enforcement and Corrections Technology Center-West and the Los Angeles Terrorism Early Warning Group. These duties included the coordination of the data basing of suicide bomber incidents, threat group suicide bombing pattern analysis, playbook construction, red teaming, and response guidance.

We recognised early on the iterated offensive and defensive dynamic of a suicide bomber and security force countermeasures and saw the offensive potentials inherent in an explosive device carried by a suicide bomber secreted inside of the human body. This resulted in a non-public disclosure series of presentations on projected BCB employment that took place between September 2006 and August 2008, in the United States and later in the United Kingdom. These presentations were resumed between October 2009 and February 2010, as a by-product of the first recorded use of a BCB device by Al-Qaeda of the Arabian Peninsula in August, 2009. As an outcome of this incident and the previous and subsequent presentations, a decision was made to create a manuscript that systematically discussed the analytical approach undertaken in making the initial projection regarding BCB use. By this time, discussions were openly taking place on the internet concerning BCB – the ‘cat was out of the bag’ so to speak as a result of the heavy media reporting of the incident in question which allowed the non-public disclosure ban regarding this specialised suicide bomber TTP to be lifted. As a result, the BCB projected use document was finalised in May 2010, and published, with an addendum written in November 2010, in March 2011. My revaluation in May 2012, of Bunker’s original document resulted in our collaboration as the primary authors behind this book. Conceptualised in June 2012, a number of subject matter experts helped provide additional expertise concerning explosive blast effects and sensor and scanning systems utilised to detect explosive devices. This small research group, coordinated principally by myself also contributed quite a bit of new material analysing various aspects of BCB, led to the creation of this book during the past year.

Are you an IT service provider looking to reach the right decision maker?

Let us be your ladder to the Cloud. We have the solutionâ&#x20AC;Ś

4 - 5 November 2013 The Ritz-Carlton, Millenia Singapore

www.cio-leaders.com

Fire destruction is preventable as, Fire prevention is everybody’s job.

CCTV - Special Feature

23 – 25 September 2013 InterContinental Dubai Festival City, Dubai – U.A.E. SUPPORTED BY:

Plan ahead for an emergency, learn from leading experts at the conference,

CONFIRM YOUR SEAT TODAY. CALL US TODAY TO BE A SPONSOR / EXHIBITOR. visit : www.middleeastfiresafe.com | email : jenson.samuel@fleminggulf.com call : 971 4609 1570 | M: +91 98233 90787 ORGANIZED BY:

SUPPORTING SPONSOR:

OFFICIAL CERTIFICATION PARTNER:

GOLD SPONSOR:

BRONZE SPONSORS:

SILVER SPONSOR:

ASSOCIATE SPONSORS:

EXHIBITORS:

MEDIA PARTNER: Your Partner for Life

COMPASS SAFETY SOLUTIONS